[00:05.680 --> 00:11.860]  Good morning, Beth. I'm Pete Cooper, Director of the Aerospace Village, and on behalf of the team,
[00:11.860 --> 00:17.700]  welcome to the Aerospace Village at Virtual DEF CON 28. Not quite what we all thought was
[00:17.700 --> 00:23.060]  going to be the plan, but let's face it, 2020 is trying to throw as many curveballs at us as
[00:23.060 --> 00:29.640]  possible. So while we're all trying to stay safe and healthy, we've got an amazing three days of
[00:29.640 --> 00:33.980]  virtual content lined up for you, irrespective of you being completely new to this or whether
[00:33.980 --> 00:39.900]  you're a seasoned black badge holder. Aviation is really a cornerstone of the global infrastructure
[00:39.900 --> 00:45.600]  and economy, and while passenger safety is at an all-time high, the increasing adoption of
[00:45.600 --> 00:50.760]  connected and digitized technologies is exposing aircraft, airport satellites, and
[00:51.640 --> 00:58.640]  the interdependent aerospace ecosystem to new types of risks and threats. And the consequences
[00:58.640 --> 01:04.640]  of a cyber security failure in a ground, air, or space-based system can impact human life,
[01:04.640 --> 01:09.640]  public safety, and even a crisis of confidence in the trustworthiness of air travel, which
[01:09.640 --> 01:15.200]  could undermine economic and national security. And as those traditional domains of aviation,
[01:15.200 --> 01:20.380]  safety, and security increasingly overlap, the more we can collaborate to enable stakeholders
[01:20.380 --> 01:26.080]  ensures that we're going to be safer and sooner together. The Aerospace Village is a non-profit
[01:26.080 --> 01:33.340]  set up and led by a volunteer team of hackers, pilots, engineers, policy advisors,
[01:33.340 --> 01:39.320]  who come from both across the public and private sectors. And why have we done this? Because we
[01:39.320 --> 01:45.960]  want to build an inclusive community around the topic of aerospace security, inspire you to get
[01:45.960 --> 01:51.080]  involved in one of the most amazing and growing areas of research that's out there, and promote
[01:51.080 --> 01:56.730]  and build aerospace cybersecurity knowledge and expertise. And through the Aerospace Village,
[01:57.140 --> 02:02.440]  the research community really is inviting everybody, be they industry leaders, researchers,
[02:02.440 --> 02:08.660]  academia, anybody interested in aviation, space security, safety, and resilience, to come in,
[02:08.660 --> 02:13.440]  understand, learn, and collaborate together. Because empathy and understanding is going to
[02:13.440 --> 02:19.240]  build common ground. Any sort of acts and words looking to increase division between the communities
[02:19.240 --> 02:23.700]  is going to undermine the efforts of us working together. So we're looking to welcome anybody and
[02:23.700 --> 02:28.620]  everybody who's wanting to improve aviation and space security, safety, and resilience through
[02:28.620 --> 02:36.220]  positive and productive collaboration. This isn't just a cool topic with a huge scope of cool tech.
[02:36.640 --> 02:42.400]  There's loads of research on the topic already, but it's a global topic and it's only getting
[02:42.400 --> 02:48.420]  bigger. And there's so much that is out there that is great to look at and explore.
[02:48.600 --> 02:56.320]  Last year, we had the Aviation Village at DEFCON. That was our first year, and we had great activity
[02:56.320 --> 03:02.560]  across airports, air traffic management, and aircraft, and great engagement. It's all massively
[03:02.560 --> 03:06.420]  interconnected and interdependent, and we started building out bridges across the community and
[03:06.420 --> 03:12.380]  industry. But since then, on the importance of such efforts, there's been some great progress.
[03:12.400 --> 03:18.980]  For example, international initiatives. The UN body for aviation, which is ICAO,
[03:18.980 --> 03:25.720]  with 193 member states, published late last year their first cyber security strategy for aviation,
[03:26.260 --> 03:30.800]  which specifically called out that states should give adequate protection to good faith researchers.
[03:31.280 --> 03:34.980]  And that's more and more recognition that such research like this is a positive thing,
[03:34.980 --> 03:39.220]  and it needs to be encouraged as well as protected. And additionally, there's also
[03:39.220 --> 03:43.720]  industry initiatives. For example, Boeing standing up an industry cyber technical council
[03:44.420 --> 03:49.180]  that actually incorporates the research and hacking community working with the team there.
[03:49.860 --> 03:55.240]  So this year, we've evolved into the Aerospace Village. Aviation is critically dependent on
[03:55.240 --> 04:01.080]  space, and the sector is really the aerospace sector. So yeah, we rolled into space, and we've
[04:01.080 --> 04:05.060]  now got a security community that's stretching from Earth into orbit. And a big part of that
[04:05.060 --> 04:10.100]  effort this year is to hack that CTF, which is pretty much the coolest CTF that isn't on the
[04:10.100 --> 04:17.620]  planet. And more of that later. It's amazing the support that we've got this year to help put on
[04:17.620 --> 04:25.840]  an amazing event for you over the next three days. And that support stretches from the USAF, DDS,
[04:25.840 --> 04:32.220]  CESA, Boeing, the American Institute of Aeronautics and Astronautics, both the aviation
[04:32.220 --> 04:38.600]  and space ISACs, TALIS, Capital Tech University, California Polytechnic, Pentas Partners, I'm the
[04:38.600 --> 04:44.840]  Cavalry, Rapid Seven, and even astronaut Pam Melroy is here, and more. All looking to try and give you
[04:45.560 --> 04:51.640]  a great experience and learn as much and play with as much as you want to over the next three days.
[04:51.880 --> 04:57.760]  We've got everything from topics on aircraft, airports, air traffic management, so air traffic
[04:57.760 --> 05:04.620]  control, aircraft, and space. Everything from satellites to ground stations. And we've got talks,
[05:04.620 --> 05:11.840]  panels, workshops, and CTFs, and everything from beginning to advanced. So please find our website
[05:12.400 --> 05:19.980]  at aerospacevillage.org, which has got the schedule and more content about what's on and what we're
[05:19.980 --> 05:25.740]  doing both now for DEF CON and as we're going forwards. And subscribe to us on YouTube and
[05:25.740 --> 05:32.020]  follow us on Twitter at Secure Aerospace. And finally, to really pull together and drive this
[05:32.020 --> 05:36.780]  amazing event, it takes an amazing team. And it's an honor to be a part of that amazing team. So when
[05:36.780 --> 05:41.320]  you're pleased floating around the virtual village, look out for the village leads and those team
[05:41.320 --> 05:46.200]  members. Say hi and thanks. They are the most awesome group of people that pull this together.
[05:48.320 --> 05:53.680]  So next up are two guest speakers that are going to help us open up the Aerospace Village this
[05:53.680 --> 05:57.480]  year. Partnerships are going to be really important to help build out this community and
[05:57.480 --> 06:04.500]  build trust between the hacking and researching community and industry and government. So it's
[06:04.500 --> 06:10.980]  great to have them here speaking at the opening. So the first is CISA Director Chris Krebs and this
[06:10.980 --> 06:17.840]  is the conversation that I had with him. Thank you. So welcome everybody to the Aerospace Village
[06:17.840 --> 06:23.480]  and I'm honored to have Director CISA Chris Krebs with us to help with the opening. So
[06:23.480 --> 06:28.640]  good morning Chris. Hey Pete, thanks for having me. Good to be here with you and the Aerospace
[06:28.640 --> 06:37.680]  Village, formerly the Aviation Village. It's a journey. It always is. So you came to the Aviation
[06:37.680 --> 06:42.780]  Village last year. We've got the Aerospace Village this year and I know that you and the CISA team
[06:42.780 --> 06:48.640]  are working really, really hard on the aerospace sector. But what's unique do you think about the
[06:48.640 --> 06:53.080]  aerospace sector when it comes to some of the challenges that we're facing across the security
[06:53.080 --> 07:02.640]  perspective? Yeah, I think it's representative of almost everything else in the kind of almost the
[07:02.640 --> 07:08.380]  industrial or life safety space. Things that historically have not been connected or relied
[07:08.380 --> 07:15.280]  upon overly networked systems, IT systems that either touch the internet or have paths of entry.
[07:15.460 --> 07:20.960]  That's different than it was 10 plus years ago. You know, when a plane used to
[07:21.720 --> 07:29.960]  lose the contact with the earth, it also lost contact, generally speaking, with communications
[07:29.960 --> 07:37.440]  channels. So what we're seeing now though is due to various customer demands, other navigation
[07:37.440 --> 07:45.080]  requirements, that yeah, there are pathways into a plane. And frankly, what's at stake?
[07:45.080 --> 07:52.240]  And we're really truly talking about lives here. So, you know, when I look at both aviation but
[07:52.240 --> 07:59.580]  more broadly aerospace, it's not just about the things that are moving around in the air,
[07:59.580 --> 08:05.020]  it's the things that are going through the infrastructure itself. You know, look at
[08:05.020 --> 08:09.840]  what's happened here in the US over the last year or so. It's the establishment of Space Command.
[08:09.840 --> 08:16.420]  Why? It's because the space-based infrastructure is that critical to just day-to-day operations.
[08:16.420 --> 08:25.620]  When you talk about PNT, when you talk about satellite-based communications, it really is a
[08:25.620 --> 08:32.140]  incredibly critical slice of not just our infrastructure, but of frankly our economy.
[08:33.360 --> 08:39.640]  So do you think that the threat actors are different to the other sectors, or is this
[08:39.640 --> 08:44.800]  still the same sort of threat environment that we're looking at here? Well, I do think that there
[08:44.800 --> 08:48.140]  are a couple different things you got to think about with the threat actors. So yes, they're
[08:48.140 --> 08:55.600]  absolutely threat actors that are focusing in on this aerospace ecosystem. And not that
[08:55.600 --> 09:00.800]  it's been a steady state thing, I think it's increasing. They're understanding the
[09:00.800 --> 09:05.860]  ability and the capability, particularly when you talk about functional disruptions.
[09:06.380 --> 09:12.860]  The future of warfare is not necessarily going to be on the plains of Europe. The first strike
[09:12.860 --> 09:18.820]  capabilities that you would see launched against our infrastructure are things we need to be
[09:18.820 --> 09:24.980]  thinking about. And that's from an elections perspective, election infrastructure perspective,
[09:24.980 --> 09:29.860]  that's what I've been talking about now for years. What was so dramatic or significant about the
[09:29.860 --> 09:38.300]  2016 interference with the US election was it was almost a Sputnik moment. Take us back to 1957,
[09:38.300 --> 09:44.880]  and the Russia, the Soviets at the time, put Sputnik into low Earth orbit. It wasn't that
[09:44.880 --> 09:49.180]  they got to space first, it was that they had an ICBM, they had this capability to overcome
[09:49.180 --> 09:56.860]  geographic distancing and reach out and touch us. Why was 2016 the same? It was because cyber
[09:56.860 --> 10:01.620]  could be used as that tool to reach out and touch us and destabilize democracy.
[10:01.740 --> 10:08.100]  I think the future, again, of conflict is going to be using these infrastructure aspects
[10:08.100 --> 10:13.620]  against us to undermine our confidence, undermine our ability, or undermine our willingness
[10:14.880 --> 10:20.160]  to do the things that need to be done. And thanks for that. And so it shows that really,
[10:20.160 --> 10:25.280]  that this is touching on pretty much all the themes about trust and resilience across all
[10:25.280 --> 10:30.880]  the other sectors as well. But for those that are sort of new into the aerospace sector, and
[10:30.880 --> 10:37.520]  we've got loads of researchers and hackers that are now really engaging on the topic,
[10:38.160 --> 10:45.260]  what's the key challenge for yourselves on trying to look at the safety and security aspects of it?
[10:45.260 --> 10:50.500]  Because it's a safety critical industry. So we've got the FAA and also CISA in the frame as well.
[10:50.500 --> 10:57.520]  Can you try and help explain to the audience out there is actually how does that balance work
[10:57.520 --> 11:01.980]  on working through safety and security with the different partners that are out there?
[11:02.720 --> 11:09.380]  So, oh, wow. So, you know, they're the technical aspects of it, actually getting access to the
[11:09.380 --> 11:14.640]  equipment. This is not kit you can typically just find out they're hanging on eBay.
[11:14.900 --> 11:19.760]  So there are some proprietary systems that you've got to be able to get access to and
[11:19.760 --> 11:26.980]  work in an environment that's trusted. I think that's the second aspect. Beyond the technical,
[11:26.980 --> 11:32.040]  it's the relationship piece and the trust. You know, this is, I think, that constant struggle,
[11:32.040 --> 11:36.420]  that constant tension between the research community and the owner operators or the
[11:36.420 --> 11:44.920]  vendors is how do you have an effective, a meaningful conversation about security and trust
[11:44.920 --> 11:50.760]  when you add life safety? Same things for the medical device community, too. You know, unfettered
[11:50.760 --> 11:56.240]  access into a piece of equipment that has life safety implications is not something to be toyed
[11:56.240 --> 11:59.960]  with. And you want to make sure that you've got open lines of communication. You're not just
[11:59.960 --> 12:05.380]  dropping a ball onto the open market without giving the folks that are maintaining those
[12:05.380 --> 12:11.780]  systems the appropriate time to control or to implement. But that also, you know, when you talk
[12:11.780 --> 12:19.180]  about these proprietary systems, there are some DCMA and other issues that really restrict the
[12:19.180 --> 12:24.460]  ability or the access. So we have looked over the last several years to help really foster those
[12:24.460 --> 12:28.920]  conversations to bring the security researcher community together with the vendor community.
[12:28.920 --> 12:33.440]  And it's been a journey. You talk about the journey from the aviation village to the aerospace
[12:33.440 --> 12:40.820]  village. It's really been a journey. And I am so incredibly, you know, impressed by a number of the
[12:40.820 --> 12:47.080]  bigger companies out there that, you know, a year and a half ago, weren't particularly interested,
[12:47.080 --> 12:52.580]  for instance, in participating in the village. But now they're meaningful, full-bore, full-throated
[12:52.580 --> 12:58.300]  supporters and members because they get the kind of force multiplier aspect. I'd rather have you
[12:58.300 --> 13:04.340]  on my team than working against me. That sort of mentality has really taken root. And we're,
[13:04.340 --> 13:09.560]  you know, proud to be a part of that effort to keep driving forward. No, thanks. And it's that
[13:09.560 --> 13:14.420]  challenge of trying to make sure the dialogue's there because the perspectives are different.
[13:15.560 --> 13:20.580]  And it feels like trying to fit a really small Venn diagram together and just getting that common
[13:20.580 --> 13:27.740]  ground in the middle. But what do you think CISA, I mean, and partnering with us on the villages
[13:27.740 --> 13:35.620]  is great. But what do you think we, the village and the community, and CISA would want to be
[13:35.620 --> 13:42.440]  doing in the next sort of year? I mean, how do you think that that can work better across all
[13:42.440 --> 13:46.540]  of those stakeholders? And also as well, what message would you be giving to industry across
[13:46.540 --> 13:53.580]  that as well? Yeah, so last year, for instance, we were kind of silent partners, helping,
[13:53.580 --> 14:00.480]  again, facilitate some of the conversations, but not a financial supporter, not a, you know,
[14:00.480 --> 14:06.900]  really staffing supporter. We had folks there last year in Vegas, this year, much more engaged
[14:06.900 --> 14:11.480]  in the planning, bringing the partners together, working with the information sharing and analysis
[14:11.480 --> 14:16.780]  centers, working with the vendors. I think going forward, I really want to see, you know, assuming
[14:16.780 --> 14:22.420]  we, and hopefully we get through this, this current pandemic where we can get back together
[14:22.420 --> 14:30.520]  physically, really would love to see more practical environmental environments that
[14:30.520 --> 14:35.720]  we can bring researchers in to take, you know, start shooting holes in things, figuratively,
[14:35.720 --> 14:40.320]  not literally. But, you know, we've been working in our industrial control systems initiative
[14:40.320 --> 14:47.480]  to develop environmental laboratories, so our cellar program, where we've got control systems
[14:47.480 --> 14:53.320]  environments that folks can mess around with, that they can either conduct research on, we can
[14:53.320 --> 14:57.800]  tailor them to specific environments like water, but also I think aviation is a great opportunity
[14:57.800 --> 15:04.900]  going forward where we can continue, you know, it's almost like democratizing security for the
[15:04.900 --> 15:10.660]  control system space and including the aerospace environment. You know, again, it's just making
[15:10.660 --> 15:18.200]  these partnerships more accessible to everyone and much, much more open. And again,
[15:18.200 --> 15:23.080]  you know, the concept here really more than anything is let's democratize this. It does
[15:23.080 --> 15:28.740]  not happen overnight, so we've all got to be patient, keep plucking away. And yeah, sometimes
[15:29.460 --> 15:33.800]  various parts of the community raise their voice and get a little frustrated with others, but
[15:33.800 --> 15:37.740]  keep working on it. And the more we work on it, the more trust we'll build and the more we'll be
[15:37.740 --> 15:42.940]  able to do in the out years. And is this the same journey that you've seen across the other
[15:42.940 --> 15:48.640]  sectors as well? I mean, from what we're seeing across the research and hack community and the
[15:48.640 --> 15:55.560]  dialogue that we've got with industry and regulators and everybody is that actually,
[15:55.560 --> 16:01.880]  this is a journey that has its ups and downs. And it's not always an easy path because there
[16:01.880 --> 16:09.080]  are so many different and quite strong perspectives out there. But it sort of feels
[16:09.080 --> 16:14.660]  like this is a journey that other sectors have gone through as well. Yeah, absolutely. And again,
[16:14.660 --> 16:20.160]  I'll make second elections. If somebody's got the Chris Krebs bingo card, if I don't mention
[16:20.160 --> 16:25.240]  election security like six times in any speech, even if it has nothing to do with election security,
[16:25.240 --> 16:33.400]  I've failed. But election security is a great example. So in 2016, when it first started
[16:33.400 --> 16:39.120]  becoming apparent what the Russians were trying to do, there wasn't an established, vibrant
[16:39.720 --> 16:47.520]  community of practice in election security. Yes, there was a security research core team that was
[16:47.520 --> 16:52.180]  looking at these issues, but it hadn't really gone mainstream. You didn't really have the vendors
[16:52.180 --> 16:58.240]  on board. You didn't have the operators of the systems, the practical operators of the system.
[16:58.240 --> 17:02.560]  But over the last three or four years, we really worked hard to bring all those partners together
[17:02.560 --> 17:08.320]  and again, create that vibrant community of practice. And so as we look into 2020 election,
[17:08.320 --> 17:13.620]  feel much more comfortable, much better about where things are, the security state of various
[17:13.620 --> 17:19.520]  systems. Are we where we need to go? Oh, hell no. I mean, there is still work to be done.
[17:19.520 --> 17:26.120]  Absolutely. But by coming together all aspects of the community, we have ensured, or at least
[17:26.120 --> 17:30.700]  we're working towards that additional level of assurance that we're doing the right thing. We're
[17:30.700 --> 17:38.720]  defending democracy. And again, the 2020 should be the most secure election in history. So again,
[17:38.720 --> 17:44.480]  you got to break it down. Why did we get there? What led or what contributed to
[17:45.180 --> 17:49.920]  the progress we've made over the last four years? I kind of, you know, I've stolen this from
[17:49.920 --> 17:55.340]  General Mattis, who I think adapted his leadership style from General Washington,
[17:56.280 --> 18:03.640]  President Washington. And it's basically four things. Listen, learn, help, lead. So we're still,
[18:03.640 --> 18:10.040]  I think, in that learning phase of leadership and understanding the community and transitioning
[18:10.040 --> 18:17.100]  well, I think, into the help space. But here in the aviation airspace world, there's opportunities
[18:17.100 --> 18:22.500]  for leadership. And so we're looking at those, seeing what we can do, again, to bring this
[18:22.500 --> 18:29.560]  community together, bring this practical research and sharing of ideas and information. Last thing
[18:29.560 --> 18:37.460]  I think I'll mention is, you know, I think it goes in just about any other discipline within
[18:37.460 --> 18:44.580]  the security research community is vulnerability coordination. And how do you do that in a way
[18:44.580 --> 18:51.920]  that gives the defender an opportunity to close out any gaps before the bad guys have
[18:52.660 --> 18:58.200]  proof of concept? We've seen it in the election space. We've seen it here.
[18:58.820 --> 19:06.360]  You know, there are opportunities to help the defender before advantaging the offensive
[19:06.360 --> 19:12.160]  security side of the offense, the threat actor. So to the extent that we can continue to build
[19:12.160 --> 19:17.520]  those partnerships between the security research community and the vendors, I think we're going to,
[19:17.520 --> 19:22.220]  again, we're going to continue advancing towards a defensive advantage position.
[19:23.040 --> 19:30.220]  Thanks. And that touches on so many different areas. I think one of the things that you've
[19:30.220 --> 19:33.580]  been talking about there from the democratization of it, from the amount of research and hackers
[19:33.580 --> 19:40.120]  that we've got contributing to the village through either breakers yards or buying stuff
[19:40.120 --> 19:43.200]  off the internet and things like that. And actually, they're doing some really great
[19:43.200 --> 19:48.460]  research on what they're finding. And it's trying to make sure that those pathways exist to be able
[19:48.460 --> 19:53.780]  to talk about some of those findings and go through it. Because that then sparks a dialogue
[19:53.780 --> 20:00.580]  that actually allows engagement to happen and actually that progress to be made. So yeah,
[20:00.580 --> 20:07.000]  there's loads of lessons across all of that. To be perfectly clear here, I'm not casting
[20:07.000 --> 20:13.660]  any aspersions or judgment on any part of the community right now. Whether you're on the vendor
[20:13.660 --> 20:21.600]  side of the security research community, I think everybody's got... you talk about ups and downs.
[20:21.840 --> 20:26.920]  Everybody, I think, has made some good strides forward over the last couple of years and we want
[20:26.920 --> 20:32.820]  to continue making those. But it's got to be an open conversation. It's got to be forward-thinking
[20:32.820 --> 20:39.380]  and progressive. That's the only way we're going to get where we need to be.
[20:40.200 --> 20:45.320]  Yeah, and actually... and look at the scale of the challenge. I mean, you touched upon the elections
[20:45.320 --> 20:49.920]  on... if you just sort of sat back and said, let's just protect the elections. I mean, that's a massive
[20:49.920 --> 20:55.000]  task. If we look across the aerospace sector, with everything from airports, the air traffic
[20:55.000 --> 21:01.900]  management aspects, the aircraft, and then space, be that ground stations or all the on-orbit assets,
[21:03.280 --> 21:10.740]  the scale of that is huge. And it's a massively interdependent sector as well. How do we scale
[21:10.740 --> 21:15.100]  this, from your perspective, looking at this nationally and also internationally, with all of
[21:15.100 --> 21:20.180]  the international work you and the team are involved in? But how do we make sure that we
[21:20.180 --> 21:25.840]  do this in lily pads of excellence? I think that's exactly what we've been doing
[21:25.840 --> 21:31.920]  over the last couple years. Everybody's got their normal partners that they work with.
[21:31.920 --> 21:37.100]  And that really became clear to me last year. We were going through a process, working with the
[21:37.100 --> 21:45.220]  Department of Commerce, trying to understand across the telecommunications sector, the ICT folks,
[21:45.220 --> 21:53.000]  where really the most risk lies in terms of supply chain vulnerabilities. Not vulnerabilities,
[21:53.000 --> 21:57.780]  but risks, really, more than anything. And what we found is we didn't have a really strong
[21:57.780 --> 22:05.460]  relationship with the satellite communities in the industry. And it was an area that I think
[22:05.460 --> 22:09.080]  they realized as well, that they didn't really know what we were doing, what our role was. So
[22:09.080 --> 22:15.200]  to get to those elements of scale, I think it's got to be these broader conversations,
[22:15.200 --> 22:21.700]  talking both within government, but also within industry, and understanding what the respective
[22:21.700 --> 22:26.480]  lanes in the road are. And, you know, something I've said a couple times now, but, you know,
[22:26.480 --> 22:32.980]  you really, you know, it goes back to that, the mantra of, you know, to improve something,
[22:32.980 --> 22:37.520]  you've got to be able to measure it. Well, to really scope the problem, you have to understand
[22:37.520 --> 22:42.460]  who the players are, and what their roles are, and how we can all work together. So that's what
[22:42.460 --> 22:47.860]  we've really been focusing on, in part through an effort that we have called the National Critical
[22:47.860 --> 22:53.760]  Function. So it's moving away from a 16 sector based understanding of US critical infrastructure,
[22:53.760 --> 22:58.100]  but instead distilling it down to what are the actual services, what are the functions,
[22:58.100 --> 23:04.680]  really a systemic risk approach to the economy, and then identifying who the key providers of
[23:04.680 --> 23:10.960]  services are. And in doing so, we'll get that better understanding of risk, better partnerships
[23:10.960 --> 23:18.320]  built, and then better solutions against the risks that we need to manage. And against those risks,
[23:19.440 --> 23:26.660]  would you be expecting those critical service providers to be working with the research
[23:26.660 --> 23:34.660]  community and actively engaging with that community as well? I, yeah, I mean, look, this is,
[23:34.660 --> 23:41.080]  part of our force multiplier here as defenders. The security research community has proven time
[23:41.080 --> 23:48.760]  and time again, that it can help. I am, you know, I'm in a similar situation, honestly,
[23:49.120 --> 23:53.140]  to the security research community, in a lot of respects. All the things we do here at CISA
[23:53.800 --> 23:59.040]  tend to be voluntary, public private partnerships. And the security research community working with
[23:59.040 --> 24:06.140]  is similar, it's a partnership. So you do that by building trust, by understanding what the
[24:06.140 --> 24:11.380]  kind of the needs are, and then putting up a capability or putting a resource or service
[24:11.380 --> 24:17.600]  against that need. And both sides benefit. That's how we operate. And I think that's again,
[24:17.600 --> 24:22.880]  going forward, that's that culture, that community, that we really look forward to
[24:23.520 --> 24:29.780]  being a part of, but also fostering. No, thanks. And I think that everyone's actually,
[24:29.780 --> 24:34.980]  I mean, the momentum that we're building up on all of the dialogue across the aerospace,
[24:34.980 --> 24:40.480]  security research and hack community is building in a really nice way. And actually,
[24:40.480 --> 24:44.640]  the engagement we've got from the vendors is great as well. And I think it's from dialogues
[24:44.640 --> 24:51.440]  such as that from yourselves, and the other industry leads really, is making a huge difference.
[24:52.420 --> 24:57.880]  And when we're talking about sort of all of the challenges and the scale of it,
[24:58.580 --> 25:04.120]  how do we try to sort of not see that necessarily through a work, partly through a workforce lens,
[25:04.120 --> 25:08.500]  but there's a lot of organizations now that are really throwing a lot of effort now on to
[25:09.860 --> 25:15.740]  securing or putting more bandwidth on their security. Therefore, how do we spin up the
[25:15.740 --> 25:20.600]  workforce on this from a national perspective, because getting that getting that crossover
[25:20.600 --> 25:24.600]  between aerospace and cyber security and security is really hard. Getting those people
[25:24.600 --> 25:33.580]  that can understand both worlds is a challenge. Right. You know, I think the ongoing conversations
[25:33.580 --> 25:43.260]  about the gap in cybersecurity workforce is ultimately a little bit, it's almost nihilistic,
[25:43.260 --> 25:48.380]  right? It's like, we're always going to fail in secure code and secure deployment.
[25:48.380 --> 25:52.480]  And I think you've already touched on it a little bit. But, you know, I think the more
[25:52.480 --> 26:01.880]  opportunities for STEM, steam, or whatever you want to call it, at the K through 12 level is
[26:01.880 --> 26:08.440]  going to generate a workforce that's more technically savvy. And if we can start folding in
[26:08.440 --> 26:14.480]  rather than bolting cybersecurity expertise on to the after the fact and start building it in
[26:14.480 --> 26:21.620]  whether it's DevSecOps or a security development or software development life cycle, those sorts
[26:21.620 --> 26:27.320]  of approaches, I think, are what we're going to have to adapt. So it's not about building a
[26:27.320 --> 26:33.600]  cybersecurity workforce in the future. It's a security minded engineering and technical
[26:34.020 --> 26:38.160]  workforce to the future. Let's close out these issues before we even get to them. And that's
[26:38.160 --> 26:45.320]  really kind of the mantra that we've got here at the agency. It's defend today, secure tomorrow.
[26:45.320 --> 26:51.160]  What does that mean? So today, we're dealing with patching yesterday's vaults, the stuff that,
[26:51.160 --> 26:56.640]  you know, whatever company dropped. Let's learn from all these examples and figure out how for
[26:56.640 --> 27:02.100]  the next generation, the next iteration of infrastructure deployments, we just don't make
[27:02.100 --> 27:06.420]  things better by design, better by deployment. Let's make our lives a little bit easier. And I
[27:06.420 --> 27:10.460]  frankly, it'd be great if we could put ourselves out of business. That's never going to happen.
[27:10.460 --> 27:17.280]  But it's not a bad thing to shoot for. So I tell you what, this is an issue,
[27:17.280 --> 27:24.540]  workforce, education, that's personal to me. I have five kids here in DC that are in the
[27:24.540 --> 27:31.600]  public education system. And I just see day in, day out, the kind of dearth of, as I see it,
[27:31.600 --> 27:37.320]  appropriate technical education. We've got to overcome that. So there are a number of
[27:37.320 --> 27:44.740]  initiatives that we're working here at CISA that are intended and designed to, again, overcome those
[27:45.460 --> 27:50.960]  shortfalls. And it's not going to be about universities. It's not going to be about
[27:50.960 --> 27:56.120]  colleges. I don't think that's the solution. I think, again, we've got to have better K-12,
[27:56.120 --> 28:04.860]  have better trade school-type education at institutes. Again, it's about putting the
[28:04.860 --> 28:12.600]  tools into the hands of the future workforce and not four-year or post-grad programs.
[28:12.700 --> 28:18.200]  Last thing I'll say on this front is we also need to be smarter about the way that we
[28:19.040 --> 28:25.780]  bring people into the workforce. And in part, that's through our hiring practices. It's through
[28:25.780 --> 28:33.340]  how we advertise for jobs. The Aspen Institute cyber program last summer announced a couple
[28:33.340 --> 28:39.540]  different ways to approach hiring. One is don't over-spec your PDs. Don't over-spec them. Not
[28:39.540 --> 28:47.500]  everybody needs 15 different certifications and 10 years of experience for coding language that's
[28:47.500 --> 28:54.380]  been around for four. You saw that advert as well, then. Yeah, I did. That was a good one.
[28:55.080 --> 29:03.920]  And then also use un-gendered or gender-neutral terms. Unconscious bias is a thing. And how do
[29:03.920 --> 29:08.340]  we get away from that? How can we have a more diverse and inclusive workforce that diversity
[29:08.340 --> 29:14.040]  and lack thereof in cybersecurity and technical fields is absolutely a thing. And I think it's
[29:14.040 --> 29:20.820]  on us as leaders and voices in the community to drive for change.
[29:21.840 --> 29:26.020]  And hopefully that'll be the way as we go forward. And again, it's something that we're
[29:26.020 --> 29:30.440]  seeing through the village is actually just trying to bring on that next generation to
[29:30.440 --> 29:34.880]  really get engaged on it. And a lot of the activity that we've got in the villages is
[29:34.880 --> 29:42.260]  that crawl-walk type activity to really have that on ramp for not necessarily
[29:45.200 --> 29:49.680]  any sort of specific demographic, but anybody who wants to get involved and start engaging and
[29:49.680 --> 29:55.720]  learning about this sort of stuff. It's an open and engaging community, and that's what makes it
[29:55.720 --> 30:01.300]  so great. So just to kind of rip on this for a second, I think about the way that the federal
[30:01.300 --> 30:09.780]  government here in the U.S. hires. And it's a college degree and three years of experience,
[30:09.780 --> 30:17.320]  and you too can qualify for a GS-9 position. But that sort of experience, I see kids going
[30:17.320 --> 30:26.580]  into college at 18 having six, seven years of coding experience, of in some cases development
[30:26.580 --> 30:33.940]  experience, certainly of research experience. So how do we bring those types and reward them
[30:33.940 --> 30:39.120]  for their experience and recognize that experience and not just say, oh, you don't have a CISSP, so
[30:39.120 --> 30:44.480]  you're not qualified. It's absolutely wrongheaded and backwards, but we have to change that. And so
[30:44.480 --> 30:48.520]  there are a few things, again, that we're doing here in the government. We're trying to change
[30:48.520 --> 30:54.780]  that. There's one hiring regime that we're putting the final touches on, the cyber talent
[30:54.780 --> 31:00.440]  management system that'll do just that. It'll look for experience, practical experience,
[31:00.440 --> 31:05.260]  and reward that through the hiring process, rather than saying you need that four-year degree and you
[31:05.260 --> 31:10.820]  need three years of working in a call center. So we've got a couple of things I think we can do
[31:10.820 --> 31:17.800]  here. It's just a matter of implementation. That sounds really great. Now, before we move on,
[31:17.800 --> 31:25.580]  is there anything that, from your perspective, we haven't touched upon, but you'd want us to
[31:26.120 --> 31:31.920]  pitch out or engage with on the community around the aerospace cybersecurity?
[31:32.820 --> 31:40.940]  Well, just to kind of do a self-serving promo here, just on the last piece, we are hiring CISA.
[31:41.200 --> 31:45.800]  There are a lot of positions that we have that don't require top secret clearances.
[31:46.390 --> 31:52.380]  Either the secret or the no security clearance level. I am looking for practitioners. I'm
[31:52.380 --> 31:57.000]  looking for people that know the community, that can work with the community. I think we have a
[31:57.000 --> 32:01.680]  unique offering and a unique place within the federal government that's really the closest
[32:01.680 --> 32:07.080]  thing to the private sector, the closest thing to the security research community. So check us out
[32:07.080 --> 32:13.960]  at cisa.gov slash careers. We are always hiring. Okay, well, we don't normally do commercial
[32:13.960 --> 32:21.460]  pitches, but I think I'll let you have that one. Chris, many thanks for your time. Thank you for
[32:21.460 --> 32:26.380]  joining us at the kickoff for the Aerospace Village. And hopefully once we get through
[32:27.140 --> 32:30.740]  COVID, then look forward to seeing you again in person. Thank you very much.
[32:31.140 --> 32:34.940]  Hey, thanks, Pete. It's great to be with you. If I was on Room Raider, I'd probably give you about
[32:35.080 --> 32:40.220]  a four out of 10. You'd get probably five or six for all your badges, but your lack of art
[32:40.220 --> 32:45.460]  and any potted plants probably set you back a few. Yeah, I made sure I kicked the cats out,
[32:45.460 --> 32:53.660]  so I thought I'd get a few extra points. Thanks very much. So our next guest speaker is Dr. Will
[32:53.660 --> 32:58.220]  Roper, and I'm honored to have him here this morning. So Dr. Will Roper is the Assistant
[32:58.220 --> 33:04.540]  Secretary of the U.S. Air Force for Acquisition Technology and Logistics. And he and his team,
[33:04.540 --> 33:08.180]  along with DDS, were great supporters of the village last year and have been again this year
[33:08.180 --> 33:16.060]  as well. And as you can see from the efforts that we've got through the HACSAT CTF and also
[33:16.060 --> 33:21.980]  the workshops that they've brought along to the village to support us this year, they've shown a
[33:21.980 --> 33:30.220]  huge amount of passion in the topic, and it's great to have him here. So, Dr. Will Roper.
[33:30.220 --> 33:37.400]  Hello, everyone, and welcome to the Aerospace Village at DEFCON 28, safe mode. I'm Will Roper,
[33:37.400 --> 33:43.220]  the Head of Air Force and Space Force Programs, and it is a privilege to be at DEFCON for my
[33:43.220 --> 33:50.620]  second year. Last year, I came and was blown away by the technical talent that DEFCON has in this
[33:50.620 --> 33:57.960]  community of creative, inquisitive investigators of all things software-driven. We brought a live
[33:57.960 --> 34:04.840]  hacking opportunity with one of our F-15 fighters, and yes, this community was able to get in.
[34:04.840 --> 34:10.480]  We were left with a lot of great understanding about how to be better in the cyber domain,
[34:10.480 --> 34:15.720]  and we're back this year with an amazing opportunity that's going to teach the community
[34:15.720 --> 34:23.880]  and us how to take good cyber practices into space. Orbiting overhead right now is a satellite
[34:23.880 --> 34:30.120]  that hackers are going to have access to to see if they can apply their skills to get in.
[34:30.120 --> 34:35.080]  They're going to have to understand complicated physics, how satellites communicate with the
[34:35.080 --> 34:41.160]  ground, and how we communicate back in order to overcome this capture the flag challenge.
[34:41.160 --> 34:48.180]  But seeing the talent that's here, my money is on that they will succeed. Now, how cool is that,
[34:48.180 --> 34:55.120]  that winning teams are going to get to have their code run live in space? And what we'll learn is
[34:55.120 --> 35:02.600]  how to make this new area of defense and commercial innovation more cyber secure in the long run.
[35:02.600 --> 35:08.360]  You know, if you back up and you look at how the Air Force engaged, we really sat behind our high
[35:08.360 --> 35:14.600]  walls and fence lines, and we used secrecy as a way to keep our military systems safe. That doesn't
[35:14.600 --> 35:20.940]  make sense in today's world. With so much technology happening commercially, we've got to get outside
[35:20.940 --> 35:27.180]  of our bases and fence lines and be part of this community that continues to push innovation
[35:27.180 --> 35:34.020]  forward. So we are here to share, we are here to learn, and to make openness and transparency
[35:34.020 --> 35:40.780]  part of our equation for being secure. Thank you for being here as part of the Aerospace Village.
[35:40.780 --> 35:45.820]  Thank you for being here to participate in HackASAT. And next year, when we're back with
[35:45.820 --> 35:51.620]  the next round of the thing we bring to expose to the community, I hope you'll share your thoughts
[35:51.620 --> 35:58.580]  about what opportunity would inspire you to help us learn how to be a better cyber warrior.
[35:58.580 --> 36:04.500]  For the 60 billion dollars of airplanes and satellites and cyber technology that we produce
[36:04.500 --> 36:11.340]  each year, the cutting edge comes from software. Everything we learn about making that cutting
[36:11.340 --> 36:17.900]  edge more secure makes our men and women in uniform, this nation, and our allies and partners
[36:17.900 --> 36:23.940]  and all who work with us safer. So we are proud to be part of this community and can't wait to see
[36:23.940 --> 36:24.980]  what's ahead.
